Article by Kevin Savetz

First Published:
Date Published:
Copyright © by Kevin Savetz


Sending e-mail is like sending a postcard-anybody can take a peek at its contents along the way. Yet every day Internet users send millions of e-mail messages this way, oblivious to their no-confidentiality communication. For years, a powerful but free encryption program with the modest name of Pretty Good Privacy allowed users to keep their e-mail and other data private. But after Network Associates, which bought the program in late 1997, couldn't succeed in selling upgraded versions to businesses, it let the program drift into limbo from mid-2001 on, without any real updates. Last summer, however, a new company, PGP Corp., bought the program back, and in December it shipped a new 8.0 version.

PGP 8 (www.pgp.com) runs on Windows 98 or newer Microsoft operating systems, as well as Mac OS X 10.2. Older versions of the software are available for other operating systems at www.pgpi.org, so you can share secret messages with just about anyone.

This program uses what's called "public key cryptography," in which every user has two "keys," one public and one private. You encrypt an outgoing message with the recipient's public key, available to anybody who asks. That scrambled message can then only be decrypted by the recipient's private key, which stays on that person's hard drive, protected by a password. No intermediary or central authority is involved.

You don't need any mathematics knowledge to use the program, but you will need to read the manual. While this version of PGP manages to insulate users from many of the more complex concepts of cryptography, you do need to grapple with concepts like keyrings, trust meters and fingerprints.

PGP offers several versions of PGP 8, starting with PGP Freeware. This free download-for non-commercial use only-covers the basics of creating keys, sharing the public one on an online "key server" for other users' convenience, encrypting and decrypting data and signing messages, which lets a recipient verify that the message actually came from you and wasn't altered on the way.

PGP Freeware is more than enough for encrypting the occasional message and keeping snoops from reading your unfinished great American novel, and includes a handy tool search for other people's public keys at key servers. But it doesn't tie into any e-mail programs, forcing a copy-and-paste procedure each time you want to encrypt or decrypt a message.

The $39 PGP Personal edition adds PGP Mail, which embeds PGP functions in the Outlook and Outlook Express e-mail programs on Windows and Apple Mail and Microsoft Entourage on the Mac. With this, encrypting and decrypting e-mail was easy, even huge messages with MP3 files attached.

PGP Personal also bundles PGPdisk, which fences off an encrypted, password-protected area on your disk drive. That last feature makes PGP useful for far more than just sending messages: you could use it to create an encrypted folder for financial statements, for instance.

The company also offers "Desktop" and "Enterprise" versions that support office-wide mail systems.

But what if PGP Corp. pulls the same trick as Network Associates and orphans the program? Users anxious about that might want to consider an open-source, PGP-compatible program called Gnu Privacy Guard (www.gnupg.org). It is available for Windows, Linux, Mac OS X, and several other operating systems, and is free for both personal and commercial use. Since nobody owns it, nobody can take it off the market.

GPG, however, needs another layer of software to become something approachable. Despite its excellent documentation, its text-only, command-line interface remains a roadblock for people uncomfortable with a DOS or Unix-style command prompt.

Windows Privacy Tray (www.winpt.org) adds shortcuts to the Windows system tray to generate keys, sign, and encrypt messages without fussing with the text interface. Similarly, Macintosh users can add on GPG DropThing (available with other front-end software at macgpg.sourceforge.net); its interface is sparse but will let you encrypt and decrypt data without resorting to the command line.

These free programs make the process roughly as easy as with PGP 8 itself-that is, pretty simple once you learn your way around.


Articles by Kevin Savetz